Working of a Firewall
To understand the working of firewalls, the first thing is having knowledge about how the different layers of a network interact. The network architecture is designed around a seven layer model . Each layer has its own responsibilities and handles the data in a well-defined manner. Figure 2.1.1 presents the network layer architecture.
Firewalls operate at different layers to use different criteria to restrict the traffic. In OSI model this is the network layer, in the TCP / IP model it is the Internet protocol layer. This layer is concerned with routing the packets to their destination. At this layer firewall determine whether a packet is from a trusted source, but does not concern with what it contains or what are the other packets associated with it. Some firewalls operate at the transport layer and know more about a packet, which then results in grant or deny access depending on specified criteria.
A packet has an IP header followed by a TCP, UDP or ICMP headers . TCP and UDP headers are followed by application messages. Packet inspection focuses on the contents of IP, TCP and UDP headers. An IPv4 TCP and UDP headers are shown below5.
When a packet enters a firewall it starts matching the packet’s information against its rules. The packet filtering rules are based on:
Host IP address.
Network layer’s source and destination IP addresses.
Transport layer’s TCP or UDP service ports.
TCP connection flags.
The network layer’s ICMP message types.
Whether the packet is incoming or outgoing.
If the packet matches the criteria of the first rule, then the firewall performs the action described by the target. If the packet does not match the criteria, then the engine goes to the next rule in the chain and so on . If firewalls do not process the rules fast enough, the whole system will slow down. The packet filter does not examine the data section of a packet. The order in which the rules are defined is important as a firewall process the rules from top to bottom. The list of rules defining what can come in and what can go out are called chains . Each chain has a default policy. If the packet doesn’t match any of the rules, then the default policy is applied. There are two basic approaches to a firewall.
1) Deny everything by default and explicitly allow selected packets through.
2) Accept everything by default and explicitly deny selected packets through.
Moreover, a firewall mechanism gives the option of either rejecting or denying a packet. If the reject option is selected then, it returns an error to the sender but if deny option is chosen then, the packet is immediately discarded without notifying the source.
Types of Firewalls
The software firewalls are divided into four main categories. These are listed below:
Packet filtering firewall.
Circuit level gateways.
Application level gateways.
Stateful multilayer inspection firewall.
Packet Filtering Firewall
A packet filtering firewall applies a set of rules and examines each packet to determine whether to forward the packet or drop toward a particular destination . The firewall is typically configured to filter the packets going in both directions, inbound and outbound. Packet filters permit or deny network traffic based on the following information:
Source IP address and Destination IP address.
Protocols, such as TCP, UDP.
Source ports and Destination ports.
Direction (inbound or outbound).
A physical interface in which the packet is traversing.
Circuit Level Gateways
Circuit level gateways work at the session layer of the OSI model, or the TCP layer of the TCP / IP model . This firewall monitors the TCP handshake between the packets to determine whether a requested session is allowed. It gives the advantage of hiding information about the private network it protect and do not filter individual packets.
Application Level Gateways
Application level gateways, also called proxies, are similar to the circuit level gateways except that they are application specific . In other words, incoming or outgoing packets cannot access services for which there is no proxy. For example, if an application gateway is configured to be a web proxy, it will not allow to use FTP, Telnet or any other traffic. This firewall is used to log the user activity and logins. It offers more security, but have a significant impact on the network performance. This is because of context switches, which slows down the network access dramatically.
Stateful Multilayer Inspection Firewall
Stateful multilayer inspection firewall combines the aspects of all three types of firewalls mentioned above. It filters packets at the network layer to determine whether the session packets are allowed and evaluate the contents of packets at the application layer . Stateful multilayer firewall allows direct connection between client and host and offer more security, performance and transparency to end users.
The Linux based firewall is controlled by the program called Iptables which handles packet filtering. It is an administration program which is implemented within the operating system. It works at the transport layer and protects the system by making routing decisions after filtering the packets based on information in the IP packet header . Iptables requires administrative privileges to operate and must be executed by root otherwise, it will not function. Iptables is used to set up, maintain and inspect packet filters in the Linux kernel. Each table contains a number of user-defined chains. Each chain is a list of rules which are applied to the incoming packets. Each rule specifies what to do with a packet that matches with rules. The rules can be set to accept, reject or drop the packets from an external network. The rules are stored in kernel tables, as an input, output or forward chain. Moreover, Linux packet filters are fast and easy to maintain within an operating system.
When considering a firewall there are many areas of concern such as installation, configuration, ease of use, documentation, support and features that should factor in selection criteria. A number of Linux firewalls were studied including Iptables, IPCop, Shorewall, Monowall and Firehol. Firewall selection seems to be a better choice from the performance perspective . After going through the literature, the following Linux firewalls are found suitable for performance comparison and evaluation due to their high support, capabilities and documentation.
Software based firewalls have their own specific features. The mentioned firewalls fulfill the performance metrics defined for evaluation. Moreover, they use a similar filtering mechanism to secure a network. Both firewalls were exposed to identical tests to find out the difference between each firewall.
Limitations of Firewalls
Firewalls have some limitations; some of them are described below:
Attacks against open ports, such as buffer overflow attacks against unblocked services.
Attacks on the firewall itself (e.g. trying to penetrate the firewall code by exploiting a buffer overflow in the firewall’s packet parsing code)6.
Firewalls cannot protect against attacks that pay pass the firewall. Internal systems may have dial-out capability to connect to an ISP7.
Attacks from compromised machines that have a VPN or other tunnel through the firewall applies to perimeter firewalls.
A Firewall can’t find other vulnerabilities which might allow hackers to access the internal network.
A firewall may not protect fully against internal threats, such as disgruntled employees who know all the network architecture .
Firewalls don’t guard against malware, viruses and worms from the Internet because the firewalls do not scan or examine a packet’s payload .
Denial of service attacks against the network link or the firewall itself.
A firewall can’t let the user know if it has been incorrectly configured. Moreover it cannot encrypt confidential documents and messages sent within an organization.
Table of contents :
1.1 Aim and Scope
1.2 Evaluation Method
1.2.1 Performance Metrics
1.3 Outline of the Project
2.1 Working of a Firewall
2.1.1 Packet Inspection
2.2 Types of Firewalls
2.2.1 Packet Filtering Firewall
2.2.2 Circuit Level Gateways
2.2.3 Application Level Gateways
2.2.4 Stateful Multilayer Inspection Firewall
2.3 Linux Iptables
2.4 Firewalls Selection
2.5 Limitations of Firewalls
2.6 Related Work
3.2 Experimental steps
3.3 Traffic Classification
3.3.1 Real-time (Online) Evaluation
3.3.2 Off-line Evaluation
3.4 Traffic Duration
3.5 Evaluation Procedure
3.6 Evaluation Tools
3.7 Evaluation Metrics
3.7.3 Connection Establishment rate
3.7.4 Connection Teardown Rate
3.7.5 HTTP Transfer Rate
3.7.6 System Resource Consumption
4.1 Specifications of computers
4.2 Firewalls Installation
4.3 Configuration of Firewalls
4.4 Implementation of Evaluation Metrics
4.4.3 Connection Establishment Rate
4.4.4 Connection Teardown Rate
4.4.5 HTTP Transfer Rate
4.4.6 System Resource Consumption
5.3 Connection Establishment and Teardown Rate
5.4 HTTP Transfer Rate
5.5 System Resource Consumption
6.1 Future Work